Jenkins Google Authentication

In Jenkins by default user authentication is not enabled but we can establish the user authentication from the Global Security section. We have to create users for team members and it maintains all user in its own database. But we can also configure Jenkins with Google oAuth. So, if you are leveraging Google services and already have users on it. The users can login to Jenkins and perform their task.

I am assuming that we have already installed Jenkins server and have admin right to make changes in it. The whole configuration is divided into three easy steps.

1. Create Google OAuth Client Key

Before we start, we need to a create a project in Google developer console. In this project we will generate authantication credentials to enable OAuth API.

To create your project login to Google developer console and in top bar select Create project:

In the pop-up window specify your project name it can be any name which is more meaning full to you. Here I have created a project named Jenkins OAuth. In the advanced section, you can select app engine geographical location:

It will take few minutes to create your project. Once it completes, on the left sidebar under API Manager select Credentials and then click on Create Credentials:

In Create Credentials drop down menu there are three options. We will choose OAuth client ID to create client id. It will genrate API credentials and these credentails are required to configure in Jenkins in last step:

As we are going to integrate this in Jenkins and it is a web service, So in application type select Web application:

In the next section, Register Jenkins URI from where we allowed to access the Google APIs. We have to provide Jenkins server detail. You can replace jenkins.mydimain.com with your own Jenkins URI. This will be the landing page of your Jenkins server. Once you hit this page it will be redirected to google for the authentication:

The authorized redirect URIs is required to redirect you after successful login. It is the combination of your Jenkins landing page and a suffix string to validate you are a logged in user. As we want to land user to Jenkins dashboard, so it has the same URI which we mentioned in the previous step and don’t forget to include securityRealm/finishLogin at the end:

Here we have Client ID and Client Secret. Copy and save these credential as these will be used to enable Google APIs in Jenkins:

2. Install Google Login Plugin

In Jenkins there is no mechanism to configure OAuth but there are many plugins are available and we are using Google Login plugin. We can easily install this plugin from Manage Jenkins –> Manage Plugins –> Available and search for “Google Login”. Select the plugin. There is no need to restart to install this plugin. This plugin allows for the register Google OAuth and performs authentication:

3. Configure Jenkins

In this step, we will setup Google security credentials in installed plugin. Navigate to manage Jenkins –> Configure Global Security and select Login with Google under Security Realm paste credentials generated in the first step. In the last field do not forget to enter your domain name it allows you to restrict access to given domain name:

Immediately after saving changes Jenkins will allow access to all users in your domain. Now, try to login into your Jenkins it will redirect you to Google Authentication page. If everything is set up properly you will be logged in but just in case you’re still facing any problem go back and check each step. The logged in user can do anything and if you want to restrict users you can implement Matrix-based security.

Hi Patrick, just in case you are still facing this issue, you can recover your jenkins be editing:
/var/lib/jenkins/config.xml
Look for the line:
true
And change true to false. Then you can access your jenkins box again, and reconfigure your security. I ran through all of these issues as well, so if you still have some issues, let me know and I’ll help where I can.

I’m trying to follow the above method but it becomes tricky in the authorized redirect URIs section, since the original client application (jenkins) is an IP address and this section doesn’t allow IP address.
plz help.

Rajdeep is AWS certified solutions architect & AWS certified DevOps engineer with his experience in configuration, monitoring, and troubleshooting of operating systems. He keeps himself ready to tie up with new open source technologies and insight to elevate running application infrastructure to the cloud. He loves to capture moments.